@av_  Thank you for the additional detail. Makes sense. I would handle that as two separate jobs. I would say this is the solution and can be cleanly executed.   ... View more

Hi @av_ ! Your expression looks correct to account for the 8 hour difference, assuming the cron job is executing in your timezone. 21:00 Sunday GMT would be 5:00 Monday BJT. So if that is not working as expected, then the cron job may not be running out of your GMT timezone. If it's running out of the BJT timezone, then the cron needs to be re-written to: */5 5-22 * * 1-5 Did you test that? What was the result? If that also isn't working, then more details are needed for people to figure out why the cron is executing in neither timezone ... View more

Hi @av_ ! To double-check cron expressions, I may resort to using a tool like crontab guru. When I put the expression you provided in there, it suggests the 0-5 part of the cron expression includes Sunday. https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 So if we change that part from 0-5 to 1-5, it appears that may work for you. Good luck! If you find this hopeful please give it a thumbs up! ... View more

Hi @av_ ! There's a tool some of us use to provide a gut-check, crontab guru (not affiliated in any way with it - just a user),  which I used on the cron you provided: https://crontab.guru/#*/5_21-23,0-13_*_*_0-5 The tool's assessment, is the cron runs on Sundays. If we breakdown the cron, the last part (0-5) sets the days of the week. So it we try changing that to 1-5, it appears it may work for you. */5 21-23,0-13 * * 1-5 There are other tools out there. There's nothing magical about what I used, but I like it for people who are unfamiliar with cron. Good luck! If this helped you, please provide it a thumbs up. ... View more

@geofrey1  Welcome to the Splunk Community! You mean after people log in, the page that loads is not the same for everyone? That's correct. Each person can set their own preference. Once logged in, click your username, select preferences, and select your default application. Each default application, can also have a default page, but you can't select that, that's in the app's configuration set by the admins. ... View more

Hi @kundanti! Here's some helpful links to get you started on your journey. Once you have attempted to solve the problem, if you have a very specific issue, open a new question here. You'll need a search specific to your environment and your permissions that can access the information: https://community.splunk.com/t5/Splunk-Search/How-to-generate-a-search-to-find-license-usage-for-a-particular/m-p/359652 Then you'll need to figure out what "normal" for your org looks like. Then you'll need to alert if below "normal". https://community.splunk.com/t5/Alerting/alert-on-license-usage/m-p/32474 Good luck! ... View more

@Sharzi  There's no silver bullet to these types of things. It's a lot of trial and error. @VatsalJagani offered some good tips. We also found sometimes using the AUTO window when scheduling (with the cron), have some queries send to summary index once a week (instead of twice a day), making sure we look at conflicting schedules, s not just our jobs in our app, but all jobs across all apps, etc. After support tickets, with band-aids like this, things became worse. We diagnosed the hardware and found contention on some KPI's. We upgraded the hardware and the issues went away. Good luck! ... View more

@sovereign-03  You provided the search you're running, but what's the problem? You mention unbalanced quotes in your title, but there's no quotes in your search. Is it that the search won't run, or you aren't getting the results you expected (what are the results you're getting?), or something else? More details may lead to someone being able to help out. ... View more

@Jdtoney  My mind went to regular expressions, and I went to sanity check my thoughts against the following articles: https://community.splunk.com/t5/Splunk-Search/Multi-Line-field-extraction/m-p/331355 https://community.splunk.com/t5/Splunk-Search/Multi-line-field-Extraction/m-p/73920 with one of them mentioning using the field extractor: https://docs.splunk.com/Documentation/Splunk/latest/Knowledge/ExtractfieldsinteractivelywithIFX Using what you provided, I was able to craft a regular expression that gets close to what you want as two fields, and then you can use an eval to glue the two fields together. YMMV, for what you want to capture and not, and based on your actual logs. Regular Expression: Message: Help\. Reason: (?<firstpart>.*)\n\n.*?@ 1 @ (?<secondpart>.*).$ In context: https://regex101.com/r/29jHcy/1 Good luck! If this was helpful at all, please consider giving some karma. ... View more

Congratulations to everyone in this Splunk MVP cohort! I am humbled and honored to have been selected for this amazing group! ... View more

@dmoberg  Your description gives you a possible answer. You're looking for a combination of location and statuscode  by time. So that's what you provide to the timechart command: | eval newfield = 'body.records.properties.responseCode' + "_" + 'body.records.location' ``` double check these single and double quotes due to editor here``` | timechart span=15 count BY newfield What you end up with is a timechart showing something like this along your timechart: 200_Omaha 404_Anahiem ... View more

@MonkeyK All the possible fields for all the selected sourcetypes? With an assumption that the sourcetypes all have the same fields every time so you can create a list of "supposed_to_be_there_fields" and then reference that list every time, to find when a field is missing. Is that right? That's a few questions rolled into one. They probably all won't be answered here. Solve for the first part and then create another question for the second part (referencing the first part, for those who come along later). * Create a list. Use what you have (then determine how often it's going to be updated). An alternative could be something like | fieldsummary I suspect you already knew this command. Here's the link to the docs for those finding this later: https://docs.splunk.com/Documentation/Splunk/latest/SearchReference/Fieldsummary * Export as csv, and use as a lookup. Comparing the lookup list against what's available to find what's missing. In the Splunk community, we often kick this link around (credit: Duane Waddle): https://www.duanewaddle.com/proving-a-negative/ As a one-off, this might be okay. As an ongoing solution against 100's of sourcetypes, it sounds a little fragile. YMMV. Best of luck! Maybe this helped some. ... View more

@mdr003That's possible. Depending on where you're getting the data from with the correct index, source, sourcetype, host values, and search terms, you can get there. Here's a fictitious example, that might help you get there. This gets the data, breaks time into 1 second bins, performs a status count per the time of 1 second bins, sorts the result with largest count first, then clips it to the first 3. Season to taste. Good luck! index=_internal source=*scheduler.log search_type=scheduled | bin _time AS _time span=1s | stats count(host) AS Count BY _time host | sort - Count | head 3 ... View more

@Jouman  If the answers helped you, please don't forget to "accept" the answer (so the community knows this has been answered) and click the thumbs up to give some karma! 🙂 ... View more

@Sammy13  is there really a "T" in there, or is that a typo? Can you show us an actual log entry? obfuscate any sensitive data ... View more

@jhamot23  Did you know there's a top command? (it defaults to top 10, but this is configurable if you want) See if this gets you in the neighborhood:   index=firewall | top src_ip BY url   ... View more

@Srubhi  In your query, go to the statistics view, click the little paintbrush next to the column and follow the items I show in this screenshot. This should be able to do what you want. Good luck! ... View more

@Digvijay  It's a matter of customizing the regular expression as you need. There's a lot of pros and cons to using regular expressions, so make sure all your use cases and negative use cases work with your query. Try this:   source="http:product_inv_rest" | spath message | regex message="\/product\s(?!123456)(?<TheseAreTheNumbersIWant>\d+)" | search TheseAreTheNumbersIWant=*   Now all the results following this line will have a number in the message and that number isn't 123456. ... View more